Skip to main content
Nous publions des mises à jour fréquentes de notre documentation, et la traduction de cette page peut encore être en cours. Pour obtenir les informations les plus actuelles, consultez la documentation anglaise.
All products
Authentification

Managing your personal access tokens

Dans cet article

You can use a personal access token in place of a password when authenticating to GitHub in the command line or with the API.

Warning: Treat your access tokens like passwords. For more information, see "Keeping your personal access tokens secure."

About personal access tokens

Personal access tokens are an alternative to using passwords for authentication to GitHub when using the GitHub API or the command line.

Personal access tokens are intended to access GitHub resources on behalf of yourself. To access resources on behalf of an organization, or for long-lived integrations, you should use a GitHub App. For more information, see "About creating GitHub Apps."

Types of personal access tokens

GitHub currently supports two types of personal access tokens: fine-grained personal access tokens and personal access tokens (classic). GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible.

Organization owners can set a policy to restrict the access of personal access tokens (classic) to their organization. For more information, see "Définition d’une stratégie de jeton d’accès personnel pour votre organisation."

Fine-grained personal access tokens

Fine-grained personal access tokens have several security advantages over personal access tokens (classic):

  • Each token can only access resources owned by a single user or organization.
  • Each token can only access specific repositories.
  • Each token is granted specific permissions, which offer more control than the scopes granted to personal access tokens (classic).
  • Each token must have an expiration date.
  • Organization owners can require approval for any fine-grained personal access tokens that can access resources in the organization.

Personal access tokens (classic)

Les Personal access tokens (classic) sont moins sécurisés. Cependant, certaines fonctionnalités sont utilisables uniquement avec les personal access tokens (classic) :

  • Seuls les personal access tokens (classic) disposent d’un accès en écriture pour les dépôts publics qui ne vous appartiennent pas, ou qui appartiennent à une organisation dont vous n’êtes pas membre.
  • Les collaborateurs externes peuvent utiliser uniquement les personal access tokens (classic) pour accéder aux dépôts d’organisation dont ils sont collaborateurs.
  • Seuls les personal access tokens (classic) peuvent accéder à l’API GraphQL.
  • Certaines opérations d’API REST ne sont pas disponibles pour fine-grained personal access token. Pour obtenir la liste des opérations d’API REST prises en charge pour un fine-grained personal access token, consultez « Points de terminaison disponibles pour les jetons d’accès personnels affinés ».

If you choose to use a personal access token (classic), keep in mind that it will grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account.

À titre de précaution de sécurité, GitHub supprime automatiquement tout personal access token qui n’a pas été utilisé pendant un an. Pour plus de sécurité, nous vous recommandons fortement d’ajouter un délai d’expiration à chaque personal access token.

Keeping your personal access tokens secure

Personal access tokens are like passwords, and they share the same inherent security risks. Before creating a new personal access token, consider if there is a more secure method of authentication available to you:

If these options are not possible, and you must create a personal access token, consider using another service such as the 1Password CLI to store your token securely, or 1Password's GitHub shell plugin to securely authenticate to GitHub CLI.

When using a personal access token in a script, you can store your token as a secret and run your script through GitHub Actions. For more information, see "Secrets chiffrés." You can also store your token as a Codespaces secret and run your script in Codespaces. For more information, see "Gestion des secrets chiffrés pour vos codespaces."

For more information about best practices, see "Keeping your API credentials secure."

Creating a fine-grained personal access token

Note: La fonctionnalité des Fine-grained personal access token est en version bêta et peut être amenée à changer. Pour laisser des commentaires, consultez la discussion relative aux commentaires.

  1. Verify your email address, if it hasn't been verified yet.

  2. Dans le coin supérieur droit d’une page, cliquez sur votre photo de profil, puis sur Paramètres.

    Capture d’écran du menu du compte de GitHub montrant les options permettant aux utilisateurs d’afficher et de modifier leur profil, leur contenu et leurs paramètres. L’élément de menu « Paramètres » est présenté en orange foncé.

  3. Dans la barre latérale gauche, cliquez sur Paramètres de développeur.

  4. In the left sidebar, under Personal access tokens, click Fine-grained tokens.

  5. Click Generate new token.

  6. Under Token name, enter a name for the token.

  7. Under Expiration, select an expiration for the token.

  8. Optionally, under Description, add a note to describe the purpose of the token.

  9. Under Resource owner, select a resource owner. The token will only be able to access resources owned by the selected resource owner. Organizations that you are a member of will not appear unless the organization opted in to fine-grained personal access tokens. For more information, see "Définition d’une stratégie de jeton d’accès personnel pour votre organisation."

  10. Optionally, if the resource owner is an organization that requires approval for fine-grained personal access tokens, below the resource owner, in the box, enter a justification for the request.

  11. Under Repository access, select which repositories you want the token to access. You should choose the minimal repository access that meets your needs. Tokens always include read-only access to all public repositories on GitHub.

  12. If you selected Only select repositories in the previous step, under the Selected repositories dropdown, select the repositories that you want the token to access.

  13. Under Permissions, select which permissions to grant the token. Depending on which resource owner and which repository access you specified, there are repository, organization, and account permissions. You should choose the minimal permissions necessary for your needs. For more information about what permissions are required for each REST API operation, see "Autorisations nécessaires pour les jetons d’accès personnels affinés."

  14. Click Generate token.

If you selected an organization as the resource owner and the organization requires approval for fine-grained personal access tokens, then your token will be marked as pending until it is reviewed by an organization administrator. Your token will only be able to read public resources until it is approved. If you are an owner of the organization, your request is automatically approved. For more information, see "Examen et révocation des jetons d’accès personnels dans votre organisation".

Creating a personal access token (classic)

Note: Organization owners can restrict the access of personal access token (classic) to their organization. If you try to use a personal access token (classic) to access resources in an organization that has disabled personal access token (classic) access, your request will fail with a 403 response. Instead, you must use a GitHub App, OAuth App, or fine-grained personal access token.

Note: Your personal access token (classic) can access every repository that you can access. GitHub recommends that you use fine-grained personal access tokens instead, which you can restrict to specific repositories. Fine-grained personal access tokens also enable you to specify fine-grained permissions instead of broad scopes.

  1. Verify your email address, if it hasn't been verified yet.

  2. Dans le coin supérieur droit d’une page, cliquez sur votre photo de profil, puis sur Paramètres.

    Capture d’écran du menu du compte de GitHub montrant les options permettant aux utilisateurs d’afficher et de modifier leur profil, leur contenu et leurs paramètres. L’élément de menu « Paramètres » est présenté en orange foncé.

  3. Dans la barre latérale gauche, cliquez sur Paramètres de développeur.

  4. In the left sidebar, under Personal access tokens, click Tokens (classic).

  5. Select Generate new token, then click Generate new token (classic).

  6. In the "Note" field, give your token a descriptive name.

  7. To give your token an expiration, select Expiration, then choose a default option or click Custom to enter a date.

  8. Select the scopes you'd like to grant this token. To use your token to access repositories from the command line, select repo. A token with no assigned scopes can only access public information. For more information, see "Étendues des applications OAuth".

  9. Click Generate token.

  10. Optionally, to copy the new token to your clipboard, click .

    Screenshot of the "Personal access tokens" page. Next to a blurred-out token, an icon of two overlapping squares is outlined in orange.

  11. To use your token to access resources owned by an organization that uses SAML single sign-on, authorize the token. For more information, see "Autorisation d’un jeton d’accès personnel à utiliser avec l’authentification unique SAML" in the GitHub Enterprise Cloud documentation.

Deleting a personal access token

  1. Dans le coin supérieur droit d’une page, cliquez sur votre photo de profil, puis sur Paramètres.

    Capture d’écran du menu du compte de GitHub montrant les options permettant aux utilisateurs d’afficher et de modifier leur profil, leur contenu et leurs paramètres. L’élément de menu « Paramètres » est présenté en orange foncé.

  2. Dans la barre latérale gauche, cliquez sur Paramètres de développeur.

  3. In the left sidebar, under Personal access tokens, click either Fine-grained tokens or Tokens (classic), depending on which type of personal access token you'd like to delete.

  4. To the right of the personal access token you want to delete, click Delete.

Using a personal access token on the command line

Once you have a personal access token, you can enter it instead of your password when performing Git operations over HTTPS.

For example, to clone a repository on the command line you would enter the following git clone command. You would then be prompted to enter your username and password. When prompted for your password, enter your personal access token instead of a password.

$ git clone https://github.com/USERNAME/REPO.git
Username: YOUR_USERNAME
Password: YOUR_PERSONAL_ACCESS_TOKEN

Personal access tokens can only be used for HTTPS Git operations. If your repository uses an SSH remote URL, you will need to switch the remote from SSH to HTTPS.

If you are not prompted for your username and password, your credentials may be cached on your computer. You can update your credentials in the Keychain to replace your old password with the token.

Instead of manually entering your personal access token for every HTTPS Git operation, you can cache your personal access token with a Git client. Git will temporarily store your credentials in memory until an expiry interval has passed. You can also store the token in a plain text file that Git can read before every request. For more information, see "Mise en cache de vos informations d’identification GitHub dans Git."

Further reading